"Efficient Evaluation of Attribute-Based Access Control Policies"

Shamik Sural, Department of Computer Science and Engineering, Indian Institute of Technology (IIT) Kharagpur

Abstract: Access control mechanisms are used by organizations to mitigate the risk of unauthorized access to data, resources and systems. For traditional information systems that deal only with a pre-specified set of users, access control models like Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access Control (RBAC) work satisfactorily. The primary limitation of these traditional models is their significant dependence on user identity for making access decisions. Owing to this, such models are found to be unsuitable for dynamic situations, where unknown users from various domains may have to be given access. Further, an inherent lack of extendibility makes it difficult to consider the context in which the access request is made. To handle these requirements, the Attribute-Based Access Control (ABAC) model has recently been proposed.

In ABAC, a user is permitted or denied access to an object based on a set of rules (together called an ABAC Policy) specified in terms of the values of attributes of the different types of entities, namely, user, object and environment. Efficient evaluation of these rules is therefore essential in ensuring decision making at on-line speed when an access request comes. Sequentially evaluating all the rules in a policy is inherently time consuming and does not scale well with the size of the ABAC system and the frequency of access requests. This problem, which is quite pertinent for practical deployment of ABAC, has so far received little attention from the research community.

In this talk, we introduce two variants of a tree data structure for representing ABAC policies, which we name as PolTree. In the binary version (B-PolTree), at each node of the tree, a decision is taken based on whether a particular attribute-value pair is satisfied or not. The n-ary flavor (N-PolTree), on the other hand, grows as many branches out of a given node as the total number of possible values for the attribute being checked at that node. Extensive experimental evaluation with diverse data sets shows the scalability and effectiveness of this approach.

Bio: Shamik Sural is a full professor in the Department of Computer Science and Engineering, Indian Institute of Technology (IIT) Kharagpur. He received the Ph.D. degree from Jadavpur University, Kolkata, India in the year 2000. Before joining IIT in 2002, Shamik spent more than a decade in the Information Technology industry working in India as well as in Michigan, USA.
Shamik was a recipient of the Alexander von Humboldt Fellowship for Experienced Researchers in 2009, which enabled him to carry out research at TU Munich, Germany. He spent the Fall 2019 semester at Rutgers University as a Fulbright scholar engaged in both teaching and research. He is also an ACM Distinguished Speaker. Shamik is a senior member of IEEE and has previously served as the Chairman of the IEEE Kharagpur section. He is currently serving on the editorial boards of IEEE Transactions on Dependable & Secure Computing and IEEE Transactions on Services Computing. His research interests include computer security and data science.